Firebase电子邮件和密码身份验证是否具有任何安全配置选项?
[英]Does Firebase Email and Password authentication have any security configuration options?
问题描述
While sniffing the Firebase traffic, I have seen that a code is passed to the auth server so that it always returns a 200 status code. 
在嗅探Firebase流量时,我已经看到代码被传递给auth服务器,因此它总是返回200状态代码。 This shows that there is some level of optional security at some level in the authentication protocol. 这表明在身份验证协议中某些级别存在某种级别的可选安全性。
Is there a way to cause Firebase authentication to fail with an identical error message when the user enters a non-existent email address as when they enter the wrong password? 当用户输入不存在的电子邮件地址时,如果输入错误的密码,是否有办法导致Firebase身份验证失败并显示相同的错误消息?
The INVALID_USER status code gives me concern about the potential for a user enumeration attack , in a case where my application has become compromised via script injection. INVALID_USER状态代码让我担心用户枚举攻击的可能性,在我的应用程序通过脚本注入受到攻击的情况下。
Information on how to more securely lock down the Firebase auth protocol, and/or some sort of statement about smart rate limiting (somehow distributed attack immune?) being applied would probably go a long way to assuring me that Firebase's built-in email and password auth is indeed secure (assuming Firebase rules are set up correctly, certs aren't compromised on the client, etc). 有关如何更安全地锁定Firebase身份验证协议的信息,和/或某些关于智能速率限制(某种程度上是分布式攻击免疫?)的声明可能会对我保证Firebase的内置电子邮件和密码有很长的路要走auth确实是安全的(假设Firebase规则设置正确,证书不会在客户端上受到损害等)。
1 个解决方案
解决方案1
6 已采纳 2015-10-01 00:07:24
(Firebase employee) For now, the answer is no: you can't control the status codes reported to the client. (Firebase员工)目前,答案是否定的:您无法控制向客户端报告的状态代码。
The good news is that an enumeration attack would be fairly difficult, as we throttle requests by origin to mitigate any brute force approaches. 好消息是枚举攻击相当困难,因为我们通过原点限制请求以减轻任何蛮力方法。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.